A node between the physical and digital.
The rants and raves of Simon Wardley.
Industry and technology mapper, business strategist, destroyer of undeserved value. "I like ducks, they're fowl but not through choice"

Wednesday, May 15, 2013

Why I'm a fan of Bromium

I've been a big fan of Bromium for some time. No, I'm not on the advisory board, nor do I have shares in the company and yes, I do know the founders. However, just because I know someone doesn't mean I'm going to agree with what they are doing.

The reason why I'm a BIG fan of Bromium is because of the approach they have taken to dealing with security.

I used to work in the security industry and I can happily say that a chunk of it is based upon snake oil and fear. The general principle of creating a secure but functionally useful system is based upon solving an impossible problem and with good commercial reasons. However, let me explain why.

A basic understanding of mathematics and a realisation that a computer system is nothing more than a mathematical model would lead anyone to Godel's incompleteness theorem and how trying to build a consistent and complete model is impossible. There is no such thing as a provable universally secure system which is useful. A system can only be described as provably secure within a set of given conditions and assumptions, one of which is that someone doesn't find a new attack vector which hasn't been catered for.

The bits of the security industry I worked in, knows the approach of building a secure system is impossible but it's actually in commercial interests to attempt to continuously solve the impossible. All these new attack vectors create constant revenue streams, a painting of the Forth bridge so to speak and a constant need for new virus signatures, protection upgrades against malware etc. Oh, and if you don't keep up you might be exposed to new zero day exploits, viruses, malware ... fear, fear, fear ... give us your money. Of course, this carefully skips over the other issue that protection is always post-event i.e. after the new vector is in the wild, discovered or written by security testers.

What I most like about Bromium is they don't try to solve the impossible. Bromium doesn't try to stop you from ever being hacked, receiving malware or being hit by a zero day exploit because to do so would be impossible. Instead they accept that you will be hacked and receive zero day exploits. What Bromium focuses on is limitation of the damage and this (unlike the incompleteness theorem) is a more solvable problem.

The principle here is rather simple. If you accept that you will receive a zero day exploit that you've never seen before (and therefore cannot protect against) then what you do is limit the damage to as small and as temporary an environment as possible. In the case of Bromium, every process on the machine (i.e. every browser tab, every individual email) runs in a hardware isolated micro VM.

Let us suppose an attacker has sent you some previously never seen before zero day exploit in an email which would bypass most standard security protection. Then under Bromium, a successful attack will gain control of a hardware isolated MicroVM which the email runs in. That MicroVM consists of an empty machine plus the attackers email which is all isolated away from everything else (i.e. all your other emails, files etc). Of course, as soon as the user closes the browser tab or the email then the MicroVM including the attacker's malware disappears, returning the machine to its previous "secure" state.

What Bromium has neatly done is not try to solve the impossible (preventing you from being attacked) but instead limited any damage to as small and as temporary a space as possible. Hence whilst Bromium does not prevent any zero day exploits being run, it reduces the impact of them to practically negligible. The fear is gone. Just because one email has been compromised, doesn't impact all the other emails or the other applications and environments on my machine. It's all isolated and to get rid of the problem I just close that email.

Now this doesn't solve all the issues of security by a long shot, it's no magic bullet. There are numerous other attack vectors such as wetware and social engineering attacks. But what it does do is threaten to disrupt an entire branch of the security industry which in my view needs to be disrupted and has become an unwelcome leech.

I like people who find difficult problems and attempt to solve them by attacking the solvable bit (e.g. limitation of damage) rather than trying to solve the knowingly impossible which also happens to generate them continual revenue streams.